Add an Admin API to temporarily grant the ability to update an existing cross-signing key without UIA

[DMRobertson]

MAS wants a hook so that it can be responsible for doing the user-interactive auth before the client uploads a new master signing key.

MAS is going to use the special shared secret token here to drive this. We don't intend for this endpoint to be used by server operators. In fact it might make sense to implement it under /_synapse/... outside of /_synapse/admin.

Proposed impl:

• add a nullable timestamp column updateable_without_uia_before (default NULL) to e2e_cross_signing_keys.
• when we look for cross-signing keys for a given user with a given type, we select the newest such key. See here.
• Change this function to also select the new timestamp column for that key and pass it back up the call chain. (Timestamps for prior signing keys are ignored.)
• Ultimately when we get to

  synapse/synapse/rest/client/keys.py

  Lines 379 to 410 in 249f4a3

  	is_cross_signing_setup = (
  	await self.e2e_keys_handler.is_cross_signing_set_up_for_user(user_id)
  	)
  	# Before MSC3967 we required UIA both when setting up cross signing for the
  	# first time and when resetting the device signing key. With MSC3967 we only
  	# require UIA when resetting cross-signing, and not when setting up the first
  	# time. Because there is no UIA in MSC3861, for now we throw an error if the
  	# user tries to reset the device signing key when MSC3861 is enabled, but allow
  	# first-time setup.
  	if self.hs.config.experimental.msc3861.enabled:
  	# There is no way to reset the device signing key with MSC3861
  	if is_cross_signing_setup:
  	raise SynapseError(
  	HTTPStatus.NOT_IMPLEMENTED,
  	"Resetting cross signing keys is not yet supported with MSC3861",
  	Codes.UNRECOGNIZED,
  	)
  	# But first-time setup is fine
  	elif self.hs.config.experimental.msc3967_enabled:
  	# If we already have a master key then cross signing is set up and we require UIA to reset
  	if is_cross_signing_setup:
  	await self.auth_handler.validate_user_via_ui_auth(
  	requester,
  	request,
  	body,
  	"reset the device signing key on your account",
  	# Do not allow skipping of UIA auth.
  	can_skip_ui_auth=False,
  	)
  	# Otherwise we don't require UIA since we are setting up cross signing for first time

  and hit the MSC3861 block:
  • if there is no master cross-signing key, proceed as today
  • if there is a master cross-signing key whose new timestamp column is in the future, proceed (new)
  • otherwise, raise NOT_IMPLEMENTED (as today).

@sandhose can you sanity check that the logic (particularly the last bullet) is as desired?